recommended reading

5 Ways to Spot a Coerced Insider Threat

Andrea Danti/


By William Senich October 22, 2015

recent posts

William Senich is corporate vice president for global cyber solutions at Alion Science and Technology.

The scariest part of the Office of Personnel Management data breach isn’t that hackers have the data – it’s what they plan to do with it.

The sheer amount of personal information seized, allegedly by a Chinese espionage operation, has grabbed headlines for months. We know there are nearly 22 million Americans who had their data stolen. We also now know that nearly 6 million people had their fingerprint data stolen, leading to a host of new national security issues.

While the fact that this data has been stolen is scary, the bigger question is what will the hackers do with it?

When a large corporation is hacked for personal information, it usually takes the form of recent incidents at Home Depot or Target where customers’ credit card information is stolen and used by perpetrators for fraudulent purposes. Specifically, those who stole the credit card information were making unauthorized purchases or taking out cash against the credit line.  

It is those outcomes that led the government to offer free credit reporting and protection for those involved in the OPM hack. But the motivation behind swiping the information of more than 22 million federal employees, contractors and partners could be more sinister.

There are myriad reasons why this personal information could be so valuable to foreign actors. They could use this information to spy on Americans. They could share this information with allies or sell it to terrorists. They could use this information to expose American spies abroad. They could also use this information to create new insider threats on American soil.

We typically think of insider threats as self-motivated – for instance, selling IP or national secrets for financial gain – but that is not always the case. A subset of insider threat is the “coerced threat,” where an individual has been pressured into malicious activities by a hacker who has used the threat of exposing personal information as leverage. While this is a traditionally rare form of insider threat, it is unfortunately a new reality we must be prepared for.

For example, if an individual were in financial trouble, a hacker would classify him or her as a high-value target and ply them with money in exchange for classified information. The coerced threat, in theory, would be undetectable because the employee is in good standing, trusted and not worried about as a threat internally.

The National Insider Threat Policy outlines how government agencies need to monitor for threats, and it is highly recommended all federal agencies deploy third-party software to perform instant analysis of data. However, agencies need to look beyond data analysis and become more proactive in how they evaluate employees to account for a coerced threat.

In particular, a coerced threat differs from a traditional insider threat in terms of how the threat would be identified. For traditional insider threat risk, there are traditional warning signs – reduced loyalty, lack of empathy or a pattern of poor behavior – that easily cause warning signs.

But for a coerced threat, their outward behavior will likely not change at all. This is where agencies must look out for behaviors that are normal in isolation but are cause for concern taken in totality.

Here are five behavioral indicators that could indicate an employee in good standing has been coerced.

  • Remotely accesses the network while on vacation, sick or at odd times
  • Works odd hours without authorization
  • Notable enthusiasm for overtime, weekend or unusual work schedules.
  • Unnecessarily copies materials, especially if proprietary
  • Interest in matters outside the scope of their duties

If you have an employee or contractor remotely accessing the network on vacation, that may not be cause for concern. But if that same person is also working odd hours without authorization, that should raise suspicions and potentially prompt an investigation.

As federal agencies ramp up their insider threat detection over the next year, they need to always keep the notion of a coerced threat in mind. The ways insider attacks are carried out are ever-changing. That means the way insider threats are detected must as well.

(Image via Andrea Danti/


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.